NIS2: What It Actually Means for a 20-Person Company

If you run a 20-person company, the first thing to know about NIS2 is genuinely reassuring: you are very likely not directly in scope. The directive's size threshold generally kicks in at 50 employees or €10 million in annual turnover, well above where most small businesses sit. If you stopped reading here, you wouldn't be wrong.
But that's also exactly why this article exists. The direct-scope question is the wrong question for most SMEs. The right one is: does one of my clients, or one of my clients' clients, fall under NIS2? Because if the answer is yes, the directive is already headed your way, just not through the front door.
The scope, in plain terms
NIS2 (Directive 2022/2555) replaced the original 2016 NIS Directive and came into force in January 2023, with EU member states required to transpose it into national law by October 17, 2024. It covers 18 sectors (energy, transport, banking, health, digital infrastructure, waste management, manufacturing of critical products, digital providers, and more) compared to just 7 under the original directive. The scale of the expansion is the headline number regulators keep repeating: roughly 160,000 organizations across the EU now fall under NIS2, up from an estimated 10,000 to 15,000 under the old rules.
Two entity categories exist:
- Essential entities: generally larger organizations (250+ employees or over €50 million turnover) in the most critical sectors, subject to proactive supervision.
- Important entities: medium-sized organizations (50+ employees or over €10 million turnover) in a broader set of sectors, subject to reactive oversight.
Below those thresholds, most companies are excluded by default, with a handful of exceptions regardless of size: DNS providers, top-level domain registries, trust service providers, and certain public administration bodies.
So far, this confirms what you suspected: a 20-person marketing agency, a small logistics broker, or a boutique consultancy isn't going to receive a letter from a national cybersecurity authority. That part of the story is genuinely calm.
Where it gets relevant anyway: the supply chain clause
Article 21 of NIS2 requires every essential and important entity to implement ten minimum cybersecurity measures, and one of them, explicitly, is supply chain security. In practice, this means an in-scope company has to assess and manage the cyber risk posed by its suppliers, contractors, and service providers. It cannot simply certify itself and ignore who it works with.
This is the mechanism that pulls small companies in indirectly. If you provide IT services, software, hosting, logistics, manufacturing components, or any kind of outsourced function to a company that is itself an Essential or Important entity, you are now part of their risk perimeter, whether or not you've ever heard of NIS2. In practice this shows up as:
- A security questionnaire before contract renewal that didn't exist last year.
- A clause requiring you to report security incidents to your client within a specific timeframe.
- A request for evidence of basic controls (access management, backup procedures, incident response) as a condition of keeping the contract.
None of this makes you legally "in scope" of NIS2 in the way a 300-person energy company is. But contractually, your client's compliance obligations become your problem the moment they flow down the supply chain, and for a 20-person business, losing one client over a failed security questionnaire can matter a great deal more than it does for a large group with a diversified customer base.
What the ten minimum measures actually cover
Even without being formally in scope, Article 21's ten measures are a useful, low-drama checklist for any SME that wants to be ready when a client asks, rather than scrambling in a week:
- Risk analysis and information system security policies
- Incident handling procedures
- Business continuity: backup management, disaster recovery, crisis response
- Supply chain security (your own vendors and providers)
- Security in system acquisition, development, and maintenance
- Policies to assess the effectiveness of security measures
- Basic cyber hygiene and staff training
- Policies on cryptography and encryption
- Human resources security, access control, and asset management
- Use of multi-factor authentication and secure communications
Read that list again with a specific question in mind: how many of these could you actually demonstrate to a client tomorrow, with evidence, not just a verbal assurance? For most SMEs, the honest answer is "some, informally, but nothing written down." That gap, not the legal scope of the directive itself, is where the real exposure sits.
2026 is the year enforcement starts to bite
The transposition deadline has passed, and by early 2026 the majority of EU member states had adopted NIS2 into national law, with the rest following closely behind. Enforcement is no longer theoretical: many essential entities face a major milestone around mid-2026 to complete their first formal compliance audit, and the 24-hour early-warning reporting rule for significant incidents is now fully in effect.
The European Commission has also proposed amendments in early 2026 to simplify compliance for smaller organizations and clarify some scope questions, a sign that the framework is still settling, but the direction (broader accountability across supply chains, not narrower) isn't in question.
For a company squarely in scope, this means audits and formal governance. For a 20-person company outside the direct scope, it means the questionnaires from clients are only going to become more frequent and more detailed, not less.
What this means for you this quarter, practically
You don't need a compliance department to respond sensibly to this. Three things are worth doing regardless of whether NIS2 ever applies to you directly:
- Map which of your clients are likely in scope. If a meaningful share of your revenue comes from energy, health, finance, transport, public administration, or digital infrastructure clients, assume the questionnaires are coming.
- Write down what you already do informally. Most SMEs have some practice around backups, access control, and incident response, it's just not documented anywhere a client could review it. Documentation is often 80% of what's actually being asked for.
- Close the two gaps that show up in almost every questionnaire: multi-factor authentication on critical accounts, and a tested, verifiable backup process that isn't just "the files are on a drive somewhere." These are the two controls compliance teams ask about first, because they're the two that most directly limit the damage of a ransomware incident.
NIS2 was written for critical infrastructure. But its supply chain clause means the directive's actual reach extends well past its legal scope, into every small business that sells to someone bigger. Being ready for that conversation costs a lot less than losing the contract over it.


